On Tue, Oct 19, 2021 at 10:40:12PM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Tue, Oct 19, 2021 at 10:35:41PM -0400, post...@ptld.com wrote: > > > >> $ postconf smtpd_discard_ehlo_keywords > > >> smtpd_discard_ehlo_keywords = pipelining, chunking, > > >> silent-discard, DSN, ETRN > > > > > > Why did you decide to turn off PIPELINING and CHUNKING? > > > > Based on the last paragraph of BDAT_README.html I do not see any benefit > > of offering it and I assume disabling it could remove an avenue of > > abuse. I also have reject_unauth_pipelining in smtpd_data_restrictions. > > Am I causing myself a disservice by disabling it? > > These PIPELINING avoids unnecessary latency in SMTP transactions, with > little downside. I am not aware of any good reasons to disable it. > > The CHUNKING extension is somewhat newer, but it is becoming > increasingly mainstream. The early implementation bugs should > have been shaken out by now, or are for the broken systems to > fix. > > I leave both enabled. > > -- > Viktor. The "Downsides" section in BDAT_README doesn't make it sound like the issue is early bugs. It sounds like a flaw/ommission in the design: "The RFC 3030 authors did not specify any limitations on how clients may pipeline commands. [...] This means that with BDAT, the Postfix SMTP server cannot distinguish between a well-behaved client and a spambot, based on their command pipelining behavior. If you require "reject_unauth_pipelining" to block spambots, then turn off Postfix's CHUNKING announcement" Based on that, I disable CHUNKING, but I leave PIPELINING enabled. There's nothing in the documentation to suggest that disabling PIPELINING is a good idea. cheers, raf
